SimplyClub

Member Profile Update

member profile security dropins

Update a logged-in member’s profile from the widget. Identity fields — phone, email, and the POI customer-id (UDF) — are intentionally not editable here; only ordinary profile fields are. This keeps a shopper from re-pointing their account to someone else’s storefront identity or contact.

TL;DRPATCH /api/v1/members/:poiId accepts an allowlist of profile fields. Phone is forced from the session, the customer-id UDF is never writable, and email can only be added once — never overwritten.


1. Endpoint

PATCH {BASE_URL}/api/v1/members/:poiId
Authorization: Bearer <session token>

Send a partial member object. Only allowlisted keys reach Simply Club; anything else is dropped server-side (no error — silently ignored).

2. What you can edit

FieldNotes
first_name, last_name (or fullName)
birthday, wedding_dayDD/MM/YYYY
personal_id
marketing consent — if_send_sms, if_send_email, marketingOptIn

3. What you can’t edit (and why)

FieldRule
phoneForced from the authenticated session. Changing it needs a fresh OTP.
customer-id (UDF)Never client-writable — prevents claiming another shopper’s storefront identity.
emailCannot be overwritten. Can be added once when empty — see §4.

4. Email is write-once

Email is not an identity/lookup key (Simply Club identity is phone-only) — but it can be stored as contact info. It is accepted only when both hold:

  • the member has no email yet, and
  • no other member already uses that address.

A same-value resend is a no-op. Changing an existing email is rejected — that needs a verified email-change flow, which is not yet available.

5. Error codes

HTTPCodeMeaning
400INVALID_EMAILEmail is malformed.
400EMAIL_TAKENAnother member already uses this email.
400EMAIL_CHANGE_FORBIDDENThe member already has a different email; changing it here is not allowed.
400MEMBER_LOAD_FAILEDThe session’s member could not be loaded — retry.

Related: Fast Login · Login From Backend